IDEAS home Printed from https://ideas.repec.org/a/gam/jmathe/v12y2024i15p2299-d1440633.html
   My bibliography  Save this article

Unveiling Malicious Network Flows Using Benford’s Law

Author

Listed:
  • Pedro Fernandes

    (Department of Information Technology, Technological University of the Shannon, Moylish Campus, Moylish Park, V94 EC5T Limerick, Ireland
    These authors contributed equally to this work.)

  • Séamus Ó Ciardhuáin

    (Department of Information Technology, Technological University of the Shannon, Moylish Campus, Moylish Park, V94 EC5T Limerick, Ireland
    These authors contributed equally to this work.)

  • Mário Antunes

    (School of Technology and Management, Polytechnic University of Leiria, 2411-901 Leiria, Portugal
    INESC TEC, CRACS, 4200-465 Porto, Portugal
    These authors contributed equally to this work.)

Abstract

The increasing proliferation of cyber-attacks threatening the security of computer networks has driven the development of more effective methods for identifying malicious network flows. The inclusion of statistical laws, such as Benford’s Law, and distance functions, applied to the first digits of network flow metadata, such as IP addresses or packet sizes, facilitates the detection of abnormal patterns in the digits. These techniques also allow for quantifying discrepancies between expected and suspicious flows, significantly enhancing the accuracy and speed of threat detection. This paper introduces a novel method for identifying and analyzing anomalies within computer networks. It integrates Benford’s Law into the analysis process and incorporates a range of distance functions, namely the Mean Absolute Deviation (MAD), the Kolmogorov–Smirnov test (KS), and the Kullback–Leibler divergence (KL), which serve as dispersion measures for quantifying the extent of anomalies detected in network flows. Benford’s Law is recognized for its effectiveness in identifying anomalous patterns, especially in detecting irregularities in the first digit of the data. In addition, Bayes’ Theorem was implemented in conjunction with the distance functions to enhance the detection of malicious traffic flows. Bayes’ Theorem provides a probabilistic perspective on whether a traffic flow is malicious or benign. This approach is characterized by its flexibility in incorporating new evidence, allowing the model to adapt to emerging malicious behavior patterns as they arise. Meanwhile, the distance functions offer a quantitative assessment, measuring specific differences between traffic flows, such as frequency, packet size, time between packets, and other relevant metadata. Integrating these techniques has increased the model’s sensitivity in detecting malicious flows, reducing the number of false positives and negatives, and enhancing the resolution and effectiveness of traffic analysis. Furthermore, these techniques expedite decisions regarding the nature of traffic flows based on a solid statistical foundation and provide a better understanding of the characteristics that define these flows, contributing to the comprehension of attack vectors and aiding in preventing future intrusions. The effectiveness and applicability of this joint method have been demonstrated through experiments with the CICIDS2017 public dataset, which was explicitly designed to simulate real scenarios and provide valuable information to security professionals when analyzing computer networks. The proposed methodology opens up new perspectives in investigating and detecting anomalies and intrusions in computer networks, which are often attributed to cyber-attacks. This development culminates in creating a promising model that stands out for its effectiveness and speed, accurately identifying possible intrusions with an F1 of nearly 80 % , a recall of 99.42 % , and an accuracy of 65.84 % .

Suggested Citation

  • Pedro Fernandes & Séamus Ó Ciardhuáin & Mário Antunes, 2024. "Unveiling Malicious Network Flows Using Benford’s Law," Mathematics, MDPI, vol. 12(15), pages 1-37, July.
    • Handle: RePEc:gam:jmathe:v:12:y:2024:i:15:p:2299-:d:1440633
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/2227-7390/12/15/2299/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/2227-7390/12/15/2299/
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Cerqueti, Roy & Maggi, Mario, 2021. "Data validity and statistical conformity with Benford’s Law," Chaos, Solitons & Fractals, Elsevier, vol. 144(C).
    2. Jie Li & Helin Fu & Kaixun Hu & Wei Chen, 2023. "Data Preprocessing and Machine Learning Modeling for Rockburst Assessment," Sustainability, MDPI, vol. 15(18), pages 1-32, September.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Roeland de Kok & Giulia Rotundo, 2022. "Benford Networks," Stats, MDPI, vol. 5(4), pages 1-14, September.
    2. Roy Cerqueti & Claudio Lupi, 2021. "Some New Tests of Conformity with Benford’s Law," Stats, MDPI, vol. 4(3), pages 1-17, September.
    3. Adriano Silva & Sergio Floquet & Ricardo Lima, 2023. "Newcomb–Benford’s Law in Neuromuscular Transmission: Validation in Hyperkalemic Conditions," Stats, MDPI, vol. 6(4), pages 1-19, October.
    4. Arezzo, Maria Felice & Cerqueti, Roy, 2023. "A Benford’s Law view of inspections’ reasonability," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 632(P1).
    5. Alex Ely Kossovsky, 2021. "On the Mistaken Use of the Chi-Square Test in Benford’s Law," Stats, MDPI, vol. 4(2), pages 1-35, May.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jmathe:v:12:y:2024:i:15:p:2299-:d:1440633. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.